In our second installment of the Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we tackle the bane of many InfoSec teams: Deciding which vulnerabilities to remediate first.
Thousands of new vulnerabilities are disclosed every year, so knowing which ones must be immediately patched or mitigated has become a major challenge for InfoSec teams everywhere.
No security team has the resources to patch every single one, and even if they did, they’d still need to identify and address the most critical ones first. Why? Because not all vulnerabilities are created equal. Some are trivial, while others can be disastrous. Pinpointing the software that must be patched with the greatest urgency is essential.
Unfortunately, many organizations lack a precise, strategic, automated and systematic process for prioritizing their vulnerability remediation work. As a result, hackers constantly exploit common vulnerabilities and exposure (CVEs) for which patches have been available for weeks, months and even years.
In its 2015 Data Breach Investigation Report, Verizon found that almost all of the vulnerabilities exploited in 2014 had been disclosed more than a year earlier.
Clearly organizations have a prime opportunity to slash their risk of breaches through an effective vulnerability prioritization program — ideally, one that ranks vulnerabilities based on their risk to the organization, and prioritizes their remediation accordingly.
A Snapshot into the Current State of Vulnerability Prioritization
SANS Institute’s second annual survey on continuous monitoring (CM) programs — titled “Reducing Attack Surface” and published Nov. 2016 — shows there is plenty of room for improvement in organizations’ vulnerability prioritization and remediation efforts.
The study, which polled organizations of all sizes and from most industries, found that only 12% described their vulnerability ranking process as “fully automated,” while another 43% called theirs partially automated.
Meanwhile, only 7.5% called their remediation process “very effective” — meaning that their processes “include automated prioritization and workflow to ensure vulnerabilities are repaired or shored up” securely across systems, and that repairs are maintained.
Another 54% rated their remediation process “effective enough,” which means they manage to keep attackers out, but are in need of more repair status visibility and of more workflow automation. The remaining 37% know what they need to repair but face limitations in follow-through, budgets, staff and tools, including automation.
With regards to the time it takes organizations to remediate, 68% of respondents said they’re able to repair, patch or mitigate critical vulnerabilities in under a month.
While this is up from 54% in 2015, the ideal is to fix critical vulnerabilities in one day, because risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer. Among respondents, 10% reported being able to remediate critical vulnerabilities in 24 hours or less.
Another area of concern: less than 6% of respondents was able to remediate all critical vulnerabilities in their IT environments.
Taming the Vulnerability Overload
Key to properly prioritizing remediation work is the ability to correlate vulnerability disclosures with the organization’s IT asset inventory. To do this, you naturally need a comprehensive and searchable inventory of your IT assets and a complete log of vulnerability disclosures. Both elements need to be continuously updated.
This way, you’ll be able to “connect the dots” and obtain a clear picture of the vulnerabilities that exist in each IT asset.
Then you must delve deeper and weigh more granular criteria about both the impacted IT assets and their vulnerabilities, as recommended in the Center for Internet Security (CIS) Critical Controls Section 4.8, which reads: “Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops).”
The CIS document goes on to recommend applying patches for the riskiest vulnerabilities first, minimizing impact to the organization with a phased rollout and establishing expected patching timelines based on the risk rating level.
For example, with regards to IT assets, you should factor in things like:
- the importance of the role they play in critical business operations
- their level of interconnectedness with other assets in your IT environment
- the level of exposure to the internet via web and mobile apps
- the size and nature of their user base
Regarding vulnerabilities, take into account whether they:
- Are “zero day” type
- Are being actively exploited in the wild
- Represent a big threat for data integrity and data protection
- Can lead to “lateral movement” attacks on other systems after the initial breach
- Are a conduit for DDoS attacks
Out of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you’ll be able to come up with an accurate remediation plan.
Obviously, these assessments of IT assets and vulnerabilities must be automated, so that they can be conducted continuously. This is necessary because, as stated earlier, new vulnerabilities are disclosed every day. But that’s not the only reason.
Often vulnerabilities disclosed months or even years before can suddenly become more dangerous if, for example, they’re targeted by exploit kits that make them easier to compromise by a much larger universe of hackers.
Meanwhile, your IT asset inventory also changes frequently:
- Hardware is added, while other hardware is decommissioned, including PCs, tablets, cell phones, servers, storage arrays, IoT sensors and networking equipment.
- Software is removed, updated and installed, including OSes, databases, middleware, applications and firmware.
- The business and technology roles of IT assets also change, lowering or increasing their level of importance.
In other words, the intensity and types of threats presented by the vulnerabilities in your IT environment are always shifting and changing, forcing you to reassess your remediation prioritization plan.
What Success Looks Like
Advanced persistent threats, those sinister attacks that are tailored and customized for particular organizations or even individuals, receive much attention. However, organizations are more likely to be hit by automated, wholesale attacks designed to compromise known vulnerabilities that haven’t been patched.
“The tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies,” reads Verizon’s 2016 Data Breach Investigations Report (DBIR). “Hackers use what works and what works doesn’t seem to change all that often. Secondly, attackers automate certain weaponized vulnerabilities and spray and pray them across the internet, sometimes yielding incredible success.”
If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks. In a way, it’s a defense similar to immunization.
When the most dangerous and critical vulnerabilities are consistently addressed in your most important IT assets on a timely basis, your organization will be in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps.
We’ll continue this series next week with a trio of tips for ensuring your organization complies with external regulatory mandates, enforces internal policies and assesses the risk of doing business with vendors and other third parties.
Qualys ThreatPROTECT helps you take full control of evolving threats, so you always know which to remediate first. Start your free trial.